EU Wants to Grow Cybersecurity Insurance Marketplace Before Arrival of New Legal Regimes


The European Union cybersecurity insurance market needs to grow up quickly to serve companies scrambling to offload some risk with the arrival of new EU privacy and cybersecurity regimes in May 2018, the EU Agency for Network and Information Security (ENISA) concluded in a recent report.

Insurers see the lack of harmonization in insurance policy risk assessment language as a sign of the cybersecurity insurance market’s immaturity, and an obstacle to its growth.

ENISA cited a variety of reasons that the industry hasn’t yet harmonized risk assessment language, including that they are seeking competitive advantage by differentiating the coverage they offer, a lack of incident and claims data to refine their definitions, reluctance to share data with other insurers, a lack of general industry standards on the topic, a lack of legislation on the issue, and the complexity of cybersecurity insurance products. ENISA prodded the cybersecurity insurance industry and lawmakers to take steps to remove those roadblocks preventing the growth of the market.

The industry should develop standardized policy language and underwriting questionnaires, promote data sharing, develop industry standards, and build in-house cybersecurity expertise, ENISA recommended. 

“Standardising policy language will help insurers and customers to mutually understand what they are selling and buying and increase buyer understanding and trust in cyber-insurance products,” Udo Helmbrecht, executive director of ENISA, said in a statement.

Policymakers, according to ENISA, should develop minimum standards, leverage the data that becomes available as a result of the mandatory incident reporting introduced by the EU General Data Protection Regulation and Network and Information Security Directive, create a central repository of that incident data, and develop guidelines.

Cybersecurity insurance is a relatively new type of coverage and policymakers around the world are trying to ensure that it’s able to provide the backstop that companies are looking for. U.S. companies are increasingly looking to cybersecurity insurance as large-scale cyberattacks become more common, and companies become more aware of them.

Lawmakers in the U.S. Congress have recently tried to get small businesses extra resources because they that don’t have the same cybersecurity sophistication or available resources as large companies. Access to cybersecurity insurance is an important element of the effort to bring small businesses up to speed, witnesses said told Congress at hearings on the matter.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.